CVE-2026-45321CRITICAL 9.6CISA KEVEPSS p72.6%

CVE-2026-45321TanStack Unspecified Vulnerability

TanStack / TanStack

Description

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS1.60% probability of exploitation · percentile 72.6% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-14

CISA KEV entry

Added to KEV: 2026-05-27

Underlying weaknesses· 1

CWE-506

References

  1. https://github.com/TanStack/router/issues/7383
  2. https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
  3. https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
  4. https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

1

TypeTargetConfidenceTier
WeaknessEmbedded Malicious Codecwe-5060%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryTanStack Unspecified Vulnerabilitykev-cve-2026-453210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-10894
CVE
CVE-2026-35467
CVE
CVE-2026-23654
CVE
CVE-2025-25268
CVE
CVE-2025-21369
CVE
CVE-2026-2630
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.